EMV Compliance for Business Owners
Published November 27, 2015
by Ken Givens, Merchant Services Consultant
A major change in the credit card transaction process is at hand and business owners need to be up to speed on how it works. At long last, the United States is adopting the EMV system (which is short for “Europay, MasterCard and Visa”). EMV cards contain secure computer chips that validate the authenticity of the card and include a one-time security code in every transaction.
EMV has been in use in other parts of the world for a decade now with very positive results. For instance, card fraud losses in the United Kingdom are less than half of what they were in 2004. Canada implemented the program in 2009 and saw an 80 percent reduction in losses by 2013.
Upgrade to EMV Terminals
Why has EMV chip technology been so successful? It’s because traditional magnetic strip cards are easily hacked, while chip technology provides dynamic authentication, making it virtually impossible to use for counterfeit card fraud.
Encrypted chip readers that integrate with point-of-sale computer systems or software are normally provided by the hardware or software provider, not the actual card processing company, so contact them as soon as you can to upgrade to an EMV terminal.
How EMV Terminals Work
EMV terminals work a little bit differently than traditional terminals that process transactions with the magnetic strip. Here are some facts and pointers to consider when upgrading your credit card terminal to an EMV terminal:
- The EMV card must be inserted into the machine and not swiped. Cards must be inserted into the terminal’s chip reader slot face up with the chip first. The card must then stay in the card reader for the duration of the transaction (5-10 seconds) which ends with the screen notifying that the card can be removed and a receipt is printed. If the card is removed before the end of the transaction, the payment will not be completed. The chip and the point-of-sale device together determine authenticity.
- Refunds and voids are processed in the same method as before, but can be password-protected so that access is limited. The good news for business owners is that detailed batch reports may be automatically printed for daily audit purposes and monthly statements showing all transactions are typically available online as well as via regular mail.
- Storing customer card information for payment plans should be highly restricted for security. Therefore, using an off-site, cloud-based storage processing service is recommended. These services are inexpensive, password protected, and will mask the initial card number and expiration dates. They allow pre-arranged automatic payments to be drafted on a regular basis or linked to a website so the customer can make their own payment arrangements. The HIPPA Hi-Tech Act requires safeguards and enforcement of all payment and information breaches, so your process must be in compliance with HIPPA. Chip card technology does not impact keyed–in/card-not-present transactions -- only card-present payments.
- Additional financial protection to your business can come in the form of data breach insurance, which is sometimes provided by the payment processing company or the businesses insurance company.
The Need for EMV Compliance
The move to EMV chip card payment in the U.S. is driven by the desire to reduce the incidence of card fraud in card-present transactions, provide global interoperability, and enable safer transactions across contact and contactless channels – and the pace of acceptance and implementation is accelerating. According to the EMV Migration Forum, by the end of 2015, a total of 50 percent of all cards issued in the U.S. (600 million cards) will be chip cards and 60 percent of all point-of-sale (POS) terminals in the U.S. (7 million terminals) will be enabled to accept chip cards.
Therefore business owners should plan to become EMV compliant as soon as possible in order to avoid serious financial consequences.
- Prior to the EMV liability shift in October 2015, card issuers were liable for losses due to counterfeit card-present transactions. MasterCard now exempts merchants from 100% of account data compromise penalties only if at least 95 percent of MasterCard transactions that originate in their stores are handled on EMV-compliant POS terminals. As for Visa, they will hold “the party that is the cause of a chip card transaction not occurring” (e.g., a merchant whose terminals are not EMV-compliant) liable for any resulting card-present counterfeit fraud losses.
- If a merchant accepts a magnetic strip card that was counterfeited but which also has a chip, and the merchant does not have a terminal that can read the chip on that card, the merchant may be on the hook for the fraudulent transaction. This can mean fines, fees, liability to the card holder for losses, replacement of original card, investigation expenses, and legal fees to address these probable circumstances.
- Providers also need to be prepared to accept consumer payments in all forms, including EMV chip cards for in-person transactions as well as mobile and digital transactions like Apple Pay and Google Wallet. Consumers have already begun using EMV chip cards and mobile systems at many national merchants such as Wal-Mart, Target, Home Depot, and Chili’s. Given the speed at which they are adopting the new cards, customers will soon expect to be able to use their EMV chip cards everywhere they go.
- The transition to EMV offers an excellent opportunity to boost your service level as well as your reputation by helping your customers understand the benefits EMV provides them. There is great peace of mind in the knowledge that their data protection has been reinforced with microchip security, making it even more difficult for fraudsters to clone personal card information.
So, if you have not investigated or planned for EMV terminals and EMV compliance, it’s time for you to do so. Contact your card processor immediately to determine your business’s specific needs. If you have already implemented EMV technology, be sure to confirm that the chip reading capability has been enabled. Naturally, you’ll want to train your staff on the new procedures. As for your customers, they will learn very quickly that the machine will hold the card during the transaction and that that is a sign that their security has been increased.
Article and information is courtesy of Ken Givens, Merchant Services Consultant for North American Bancard, a registered ISO/MSP of HSBC Bank USA. Amplify Credit Union does not endorse or guarantee the perspectives, the advice, the users, the businesses, or the products or services sold by any users or businesses that appear in this article.